Closed Bug 117307 Opened 23 years ago Closed 23 years ago

Crash in error handler on invalid JavaScript

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bht237, Assigned: khanson)

Details

(Keywords: crash, testcase)

Attachments

(4 files)

Testcase
527 bytes, text/html
Details
Reduced HTML testcase
313 bytes, text/html
Details
WinNT stack trace + function at crashpoint
7.24 KB, text/plain
Details
proposed fix
513 bytes, patch
Details | Diff | Splinter Review 
Build ID: 2001122803

Mozilla crashes on pages that are "translated" by Google.

I guess authors cannot do much about this because the original pages are
compliant and error-free.

I have saved a "translated" index page and reduced it to a rather primitive
testcase.

I have done my best to make it as easy as possible; the original page was rather
complex.

Hope this helps to make Mozilla the most stable browser on the planet!
Attached file Testcase 
Refer to taklback ID in comments
Talkback ID TB1016464Y
Confirming on Linux build 2001122821. Could someone bump up the Severity of this?
Thank's for testing mozilla.
crashes 2001122608 Linux

CC: stephend@netscape.com, for talkback retrieval, please (TB1017405E)
Severity: normal → critical
Keywords: crash, testcase
OS: Windows 95 → All
Over to JS engine (visual inspection of testcase suggests that the c.caller 
business is to blame.
Assignee: asa → rogerl
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
confirming 2001122803 w2k
Status: UNCONFIRMED → NEW
Ever confirmed: true
removing CC Stephend : We have already a stack trace 

win2k stack trace :
fun_getProperty(JSContext * 0x03c8b488, JSObject * 0x03d87840, long -13, long * 
0x0012de1c) line 935 + 12 bytes
js_GetProperty(JSContext * 0x03c8b488, JSObject * 0x03d87840, long 15255704, 
long * 0x0012de1c) line 2447 + 149 bytes
js_Interpret(JSContext * 0x03c8b488, long * 0x0012dfcc) line 2630 + 1998 bytes
js_Invoke(JSContext * 0x03c8b488, unsigned int 3, unsigned int 2) line 849 + 13 
bytes
js_InternalInvoke(JSContext * 0x03c8b488, JSObject * 0x02bfee18, long 64518208, 
unsigned int 0, unsigned int 3, long * 0x04028100, long * 0x0012e0f4) line 924 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x03c8b488, JSObject * 0x02bfee18, long 
64518208, unsigned int 3, long * 0x04028100, long * 0x0012e0f4) line 3405 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x03c650a8, void * 0x02bfee18, 
void * 0x03d87840, unsigned int 3, void * 0x04028100, int * 0x0012e240, int 1) 
line 1011 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03ffc160, nsIDOMEvent 
* 0x04028068) line 180 + 77 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03f804d0, 
nsIDOMEvent * 0x04028068, nsIDOMEventTarget * 0x03c8b250, unsigned int 8, 
unsigned int 7) line 1205 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03ffc0a0, 
nsIPresContext * 0x03effa38, nsEvent * 0x0012ea30, nsIDOMEvent * * 0x0012e91c, 
nsIDOMEventTarget * 0x03c8b250, unsigned int 7, nsEventStatus * 0x0012ec34) line 
1878 + 36 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x03c8b240, 
nsIPresContext * 0x03effa38, nsEvent * 0x0012ea30, nsIDOMEvent * * 0x0012e91c, 
unsigned int 1, nsEventStatus * 0x0012ec34) line 636
NS_ScriptErrorReporter(JSContext * 0x03c8b488, const char * 0x0401dae0, 
JSErrorReport * 0x0012ec84) line 170
js_ReportCompileErrorNumber(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, 
JSCodeGenerator * 0x00000000, unsigned int 0, const unsigned int 109) line 577 + 
15 bytes
WellTerminated(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, int -1) line 
258 + 19 bytes
Statement(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012ee54) line 1723 + 32 bytes
Statements(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012ee54) line 897 + 17 bytes
FunctionBody(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSFunction * 
0x0401d440, JSTreeContext * 0x0012ee54) line 555 + 17 bytes
FunctionDef(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012efe4, int 0) line 731 + 21 bytes
FunctionStmt(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012efe4) line 867 + 19 bytes
Statement(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012efe4) line 1182 + 17 bytes
Statements(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 
0x0012efe4) line 897 + 17 bytes
js_CompileTokenStream(JSContext * 0x03c8b488, JSObject * 0x02bfee18, 
JSTokenStream * 0x0401d008, JSCodeGenerator * 0x0012efe4) line 392 + 17 bytes
CompileTokenStream(JSContext * 0x03c8b488, JSObject * 0x02bfee18, JSTokenStream 
* 0x0401d008, void * 0x03c8b508, int * 0x00000000) line 2831 + 24 bytes
JS_CompileUCScriptForPrincipals(JSContext * 0x03c8b488, JSObject * 0x02bfee18, 
JSPrincipals * 0x03edab88, const unsigned short * 0x0401cec0, unsigned int 114, 
const char * 0x0401cdd0, unsigned int 29) line 2911 + 23 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03c8b488, JSObject * 0x02bfee18, 
JSPrincipals * 0x03edab88, const unsigned short * 0x0401cec0, unsigned int 114, 
const char * 0x0401cdd0, unsigned int 29, long * 0x0012f1a4) line 3353 + 33 
bytes
nsJSContext::EvaluateString(nsJSContext * const 0x03c650a8, const nsAString & 
{...}, void * 0x02bfee18, nsIPrincipal * 0x03edab84, const char * 0x0401cdd0, 
unsigned int 29, const char * 0x00000000, nsAString & {...}, int * 0x0012f210) 
line 676 + 85 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x0401cd10, const 
nsAFlatString & {...}) line 576
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x0401cd10) line 483 + 22 
bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x03eda9d0, 
nsIDOMHTMLScriptElement * 0x0401ca34, nsIScriptLoaderObserver * 0x0401ca38) line 
426 + 15 bytes
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x0401ca08, 
nsIDocument * 0x03ee4da0, int 0, int 1) line 159
nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * 
const 0x03ee5288, nsIContent * 0x0401ca08, int 0, int 0) line 3823
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5115
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03eda828, const nsIParserNode 
& {...}) line 3476 + 12 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x03ffc848) line 3786 + 22 bytes
CNavDTD::HandleScriptToken(const nsIParserNode * 0x03ffc848) line 2233 + 12 
bytes
CNavDTD::OpenContainer(const nsCParserNode * 0x03ffc848, nsHTMLTag 
eHTMLTag_script, int 1, nsEntryStack * 0x00000000) line 3437 + 12 bytes
CNavDTD::HandleDefaultStartToken(CToken * 0x03ed9478, nsHTMLTag eHTMLTag_script, 
nsCParserNode * 0x03ffc848) line 1307 + 20 bytes
CNavDTD::HandleStartToken(CToken * 0x03ed9478) line 1720 + 22 bytes
CNavDTD::HandleToken(CNavDTD * const 0x03d3bf20, CToken * 0x00000000, nsIParser 
* 0x03ed9208) line 886 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x03d3bf20, nsIParser * 0x03ed9208, 
nsITokenizer * 0x03fdae70, nsITokenObserver * 0x00000000, nsIContentSink * 
0x03eda828) line 522 + 20 bytes
nsParser::BuildModel() line 1980 + 34 bytes
nsParser::ResumeParse(int 1, int 0) line 1846 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x03ed920c, nsIRequest * 0x03ed59e8, 
nsISupports * 0x00000000, nsIInputStream * 0x03f8cbb0, unsigned int 0, unsigned 
int 527) line 2469 + 19 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x03ed56a8, 
nsIRequest * 0x03ed59e8, nsISupports * 0x00000000, nsIInputStream * 0x03f8cbb0, 
unsigned int 0, unsigned int 527) line 241 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x03f8ce80, 
nsIRequest * 0x03ed59e8, nsISupports * 0x00000000, nsIInputStream * 0x03edf8d0, 
unsigned int 0, unsigned int 527) line 56 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x03ed59ec, nsIRequest * 
0x03ee0084, nsISupports * 0x00000000, nsIInputStream * 0x03edf8d0, unsigned int 
0, unsigned int 527) line 2427 + 57 bytes
nsOnDataAvailableEvent::HandleEvent() line 193 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03fdb10c) line 116
PL_HandleEvent(PLEvent * 0x03fdb10c) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00e75690) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000400fe, unsigned int 49403, unsigned int 0, 
long 15160976) line 1071 + 9 bytes
USER32! 77e02e98()
USER32! 77e030e0()
USER32! 77e05824()
nsAppShellService::Run(nsAppShellService * const 0x00e2bd60) line 303
main1(int 2, char * * 0x003c6c70, nsISupports * 0x00000000) line 1264 + 32 bytes
main(int 2, char * * 0x003c6c70) line 1594 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87d08()

Reassigning to Kenton, and cc'ing Brendan on this crash. I'm not sure
if this is JS Engine's fault or not, since I cannot produce an example
that crashes in the standalone JS shell. 

bht@actrix.gen.nz: thank you for providing a reduced testcase.
I've been able to reduce the crash even further, to this:


<HTML><HEAD><SCRIPT>

window.onerror=f;
function f() {f.caller;}

</script></head><BODY><SCRIPT>

causeErr();
function causeErr() {1=2;}

</script></body></html>


I will attach this below, along with my stack trace on WinNT.
Assignee: rogerl → khanson
Attached file Reduced HTML testcase 

    
    

    
  
On Linux, it crashes at:
http://lxr.mozilla.org/mozilla/source/js/src/jsfun.c#935
The code here is
934 if (fp && fp->down && fp->down->fun)
935   *vp = fp->down->argv[-2];

fp->down->argv = 0x0
So of course it gets a segfault.

    
    

    
  
Continuing on my last comment, I thought this info might be somewhat useful.
fp = {callobj = 0x0, argsobj = 0x0, varobj = 0x0, script = 0x87234c0,
  fun = 0x8288260, thisp = 0x848ca08, argc = 3, argv = 0x8736df4,
  rval = -2147483647, nvars = 0, vars = 0x8736e00, down = 0xbfffe260,
  annotation = 0x0, scopeChain = 0x848ca08, pc = 0x87234f7 "5",
  sp = 0x8736e08, spbase = 0x8736e04, sharpDepth = 0, sharpArray = 0x0,
  flags = 0, dormantNext = 0x0}
fp->down = {callobj = 0x0, argsobj = 0x0, varobj = 0x8691e30, script = 0x0,
  fun = 0x87331d0, thisp = 0x0, argc = 0, argv = 0x0, rval = 0, nvars = 0,
  vars = 0x0, down = 0xbfffe4a0, annotation = 0x0, scopeChain = 0x8691e30,
  pc = 0x0, sp = 0x8736e00, spbase = 0x0, sharpDepth = 0, sharpArray = 0x0,
  flags = 0, dormantNext = 0x0}
fp->down->fun = {nrefs = 1, object = 0x8691e30, native = 0, script = 0x0, nargs = 0,
  extra = 0, nvars = 0, flags = 0 '\000', spare = 0 '\000', atom = 0x87331b0,
  clasp = 0x0}

Hope this helps.


    
    

    
  
Fixed.

The bug won't reproduce in the JS shell without a native function (shell
command) that emulates nsJSContext::CallEventHandler, which calls
JS_CallFunctionValue.

/be
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Many thanks for fixing this so quickly!

    
    

    
  
Verified FIXED -

Using Mozilla trunk binaries 20020102xx on WinNT, Linux, Mac9.1.
Both testcases now load without crashing. Instead, the proper error
messages are displayed in the JavaScript Console - 
Status: RESOLVED → VERIFIED

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: